Why Employee Training Is Important and Some Tips

In this video, we’re talking about why employee training is important, and we’ll also be giving some tips.

So according to Varonis Cyber Security for 2020, hackers attack every 39 seconds, on an average of 2,244 times a day. Data breaches exposed 4.1 billion records in the first half of 2019. And the average cyber security spending per employee is $1,178. Now those are pretty staggering numbers.

Now your employees deal with a lot of things every day, between the social engineering attacks, phishing and spear phishing, cold calls where people might try to social engineer in person, and also the unwitting insider attack. Now training is going to be key in helping circumvent this. But the problem with training is we can’t make it too confusing. If the training is too confusing, your employees are likely to either misunderstand what you’re trying to communicate out, and/or ignore it. If you make it too boring, your employees, again, are probably not going to pay too close attention and again ignore what you’re trying to teach them. Now if you make it too dumbed down, they could find it patronising or too restrictive.

And then you’re going to get backlash. And again, they’re not really going to engage in that training.

So in figuring out, we need to consider a few different things here. We need to assess where our users can help us secure our network. After all, there tends to be a lot more users than there are, say, IT personnel to secure your network. We need to determine where we need to improve our own security posture. We should determine, if possible, how knowledgeable our users are so we could actually structure our training to that as much as possible. We need to determine how much time our training will be and where they’re going to take it. How our users train will be online, in person, off site. How do we keep our users engaged and willing to participate?

And also, with the training, are we going to do it in-house, or are we going to outsource it? Now one method that’s popular is gamification. And the people that you train don’t necessarily have to be, say, hardcore gamers. A lot of people or even casual gamers playing things like Words with Friends, or Candy Crush, stuff like that. Gamifying your training can make it fun, engaging. And ultimately, that’s what you need to do. You need to capture your audience’s attention. So that’s where gamification can come in handy. Now tips for gamification - there’s a lot of things online that kind of discuss gamification. Also, there’s third-party companies that will help gamify, say cyber security training for you.

Protecting your own investments and ownership. Now also explain to your employees that you work for this company. You help make up this company. And if something happens in a company, it affects you also, something like a ransomware attack, a ransomware attack where the company has to pay a lot of money out. That may result in lost wages, lost employment, and whatnot. So explaining to your employees that we’re all part of this together can help make things a lot more easier for an employee to understand that, well, I need to participate. I need to protect my own investment. I need to protect my own job by helping out the company.

Not so much telling people that, well, if you fail to report a cyber security incident or you accidentally create a cyber security problem, we’re going to fire you. I don’t personally think that’s a good posture to take. But again, telling an employee that, well, we’re all in this together. We all work here together. We all help make this company, so we all need to take our part to help protect it is a better route to go. Now rewarding employees with a tangible reward or recognition can also go a long way too. Now the tangible reward doesn’t necessarily have to be anything really expensive. It could be, say, a plaque or whatnot.

And recognition-wise, giving an employee recognition, say if you have a newsletter, you put out a newsletter and say, hey, so-and-so was able to catch this really nasty phishing email that could’ve potentially cost us tens of thousands, $100,000 or whatnot. And we really appreciate what they did. Great job catching this. Thanks for helping out, and we look forward to who’s going to be the next person that’s going to be our security champion, something like that. You make the employees feel good. You get them engaged. You might even get a little bit of competition between people that, oh, hey, such-and-such got an award. They got recognition. OK, I’m going to go for that.

I’m going to see if I could get recognition next month for this. Things like that could help your cyber security posture and your training. Now in wrapping up, training employees is a vital way to help secure your network. Your trainings need to be engaging, informative, intrinsically tailored to the user as much as possible. Teaching a user about account provisioning is not too useful for the custodian, for example. So you do want to make sure that it’s actually tailored for what they need to know and how they could help. Making sure your trainings are not too confusing, boring, or it’s going to interfere with the employee’s ability to work efficiently is really important.

And thinking differently gamification recognition could be a simple way to engage your employees and keep them engaged. So this was about employee training. In the next video, we’re going to be talking about why you need to strike a balance between security and ease of use. Thank you for watching. I’ll see you in the next video.